A security vulnerability in messaging platform WhatsApp, which has now been fixed, could have led to data exposure of users, said the cybersecurity firm Check Point Research (CPR).

The firm exposed a security vulnerability rooted in WhatsApp’s image filter function.

"Image filtering is a process through which pixels of the original image are modified to achieve some visual effects, such as blur or sharpen," CPR explained.

"By applying specific image filters to a specially crafted image and sending the resulting image, an attacker could have exploited the vulnerability to read sensitive information from WhatsApp memory," it said.

The issue impacted WhatsApp for Android prior to version 2.21.1.13 and WhatsApp Business for Android prior to version 2.21.1.13.

In order to successfully exploit the vulnerability, the attacker would have had to apply specific image filters to a specially crafted image and send the resulting image.

During their research study, it had learned that switching between various filters on crafted GIF files indeed caused WhatsApp to crash. CPR identified one of the crashes as a memory corruption. The cybersecurity firm was able to crash WhatsApp by switching between various filters on crafted GIF files.

It had promptly reported the problem to WhatsApp, who named for the vulnerability CVE-2020-1910, detailing it as an out-of-bounds read and write issue, CPR said.

The findings were disclosed to the Facebook-owned messaging platform on November 10, 2020. WhatsApp verified and acknowledged the security issue. It had then deployed a fix in version 2.21.2.13, outlining CVE-2020-1910 in its February Security Advisory update.

"A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image," WhatsApp had said in its security update.

Oded Vanunu, Head of Products Vulnerabilities Research at Check Point said, “With over two billion active users, WhatsApp can be an attractive target for attackers. Once we discovered the security vulnerability, we quickly reported our findings to WhatsApp, who was cooperative and collaborative in issuing a fix. The result of our collective efforts is a safer WhatsApp for users worldwide.”

WhatsApp in its statement said that it had no reason to believe that users had been impacted by the bug.

It said, “We regularly work with security researchers to improve the numerous ways WhatsApp protects people’s messages, and we appreciate the work that Check Point does to investigate every corner of our app."

"This report involves multiple steps a user would have needed to take and we have no reason to believe users would have been impacted by this bug. That said, even the most complex scenarios researchers identify can help increase security for users. As with any tech product, we recommend that users keep their apps and operating systems up to date, to download updates whenever they’re available, to report suspicious messages, and to reach out to us if they experience issues using WhatsApp," it added.

Related Topics
comment COMMENT NOW